For anyone who has ever forgotten a password, Facebook has help

Trusted Contacts: like giving a friend a copy of your house key.

If you've ever forgotten an important password, Facebook has an innovative solution for you. On Thursday, engineers with the social network rolled out a new(ish) feature that helps users regain control of an account after being locked out of it.

The concept behind Trusted Contacts is the same idea behind giving a trusted friend or neighbor a copy of your house key. If you lose yours, you can always count of one of them to help you get back inside. The Facebook feature actually requires the help of multiple separate trusted friends designated in advance. If a user forgets her password or is otherwise locked out of an account, she can request that Facebook send different one-time security codes to up to five friends. Once the user supplies three of the security codes sent, Facebook will reset the account password.

"So your trusted contacts can be sure it's you trying to access your account, it's best to talk to them over the phone or in person," a Facebook blog post published Thursday advises. "Someone else can impersonate you through e-mail, chat, or text messages, or hack and read your messages."

Trusted Contacts, which engineers started testing in October, is one of several features rolled out in the past couple years to better protect Facebook users. In 2011, the company introduced limited two-factor authentication. It has also deployed systems to block spam and phishing messages and to detect fraudulent "likes," the endorsements Facebook users give to blog posts, businesses, and individuals.

The Trusted Contacts seems like a good idea for anyone who's prone to forgetting passwords, but for the measure to be secure, it's important that users pick friends they truly trust. A good rule of thumb is to designate only those people you'd be comfortable house sitting for you while you're on vacation. You should also choose people you can reach without using Facebook.

Promoted Comments

You tell Facebook five people who know you the best. If you want to reset your password, Facebook sends these five people five different codes. You need to retrieve these code from at least three of the people, and give this back to Facebook.

What if someone guesses who the five people are? Doesn't do them any good. They have to convince at least three of those people that they are you.

What if one is your girlfriend, and she breaks up with you? Doesn't matter, she doesn't have your password. She has no access to your account. All your former girlfriend can do is request Facebook to reset your password. Then, she has to convince two of the other four people to give her the codes, so she can reset your password.

What if my girlfriend is mad at me and won't give me the code? You have four other people that can give you there code.

Why doesn't it work the other way? Why not Facebook give you the code, and you contact your friends and give them the codes, and then they contact Facebook? How is that more secure? What that means is that you have to hope your friends bother contacting Facebook and giving them that code. It's much easier if Facebook sent them the code, and you can ask them what that code is.

Won't Facebook know who my friends are? They already know. And, they also know how drunk you got at that party last week and where you did it and with whom. This is Facebook. They know what pictures you're in. They know what bands you like and that you cried when Bambi's mother was shot. They know that you like curly fries. If you don't want Facebook to have all of that information, you shouldn't have a Facebook account.

What if I setup my Frat bros as my trusted contacts, and they prank me? If you can't figure out who you can trust the most in your life, you shouldn't be using the Internet.

This is better than two step verification where the company sends you an SMS message with some code. Someone steals your cell phone, and they can do that second verification step. This is better than security questions where almost all of the answers could be found on someone's Facebook page. This is probably one of the most secure security schemes I have seen. It doesn't rely on technology, but on absolute personal trust.

I don't have any fiends who are even able to secure their own passwords. Why would I want to let them give away mine.

To be fair, it doesn't appear as though this allows any individual one of your friends access to your account, nor does it actually give them your password. So, I don't think that this would compromise your security, unless 3+ of your designated friends conspire to get into your Facebook. Why there would ever be anything on anyone's Facebook that would be worth 3 people conspiring to get it, I don't know, but I suppose it will happen eventually.

I don't have any fiends who are even able to secure their own passwords. Why would I want to let them give away mine.

To be fair, it doesn't appear as though this allows any individual one of your friends access to your account, nor does it actually give them your password. So, I don't think that this would compromise your security, unless 3+ of your designated friends conspire to get into your Facebook. Why there would ever be anything on anyone's Facebook that would be worth 3 people conspiring to get it, I don't know, but I suppose it will happen eventually.

Thanks for chiming in, Schmads. I was just about to say that most of the critical comments so far don't make much sense. If you have a Facebook account, you already trust the site with quite a lot of personal information. You don't trust them any more by making use of Trusted Contacts. Facebook already sees which friends you interact with most, so designating a handful of them as trusted doesn't tell Facebook anything it doesn't already know.

You also don't "give away" your password to your contacts.

This feature seems to be reasonably secure. An attacker doesn't know which of your friends have been designated as trusted, and even if the attacker correctly guesses one, to succeed he would have to correctly guess two more, and then trick all three into surrendering the one-time code. The criticisms in this thread so far have been vague. If someone can see a viable way for an attacker to exploit this system to gain unauthorized access to a Facebook account, I'd be interested in hearing it.

This feature seems to be reasonably secure. An attacker doesn't know which of your friends have been designated as trusted, and even if the attacker correctly guesses one, to succeed he would have to correctly guess two more, and then trick all three into surrendering the one-time code. The criticisms in this thread so far have been vague. If someone can see a viable way for an attacker to exploit this system to gain unauthorized access to a Facebook account, I'd be interested in hearing it.

I would go further. It seems like progress over the standard 'Forgot Password' procedure which turns your email account into a skeleton key.

Oh good, now Facebook is providing me with a way to increase my social engineering attack vulnerability by letting me designate my stupid friends as custodians of my online identity! Just what I always wanted.

Oh good, now Facebook is providing me with a way to increase my social engineering attack vulnerability by letting me designate my stupid friends as custodians of my online identity! Just what I always wanted.

How is it Facebook's fault if you designate people who can't be trusted?

Well, another smart thing would be to have 5 contacts who don't know each other. Hard to achieve, but if I have 5 Trusted contacts who don't know each other then the odds of this leading to a breach is low.

I do like how we are using social engineering to increase, rather than decrease security now.

Well, another smart thing would be to have 5 contacts who don't know each other. Hard to achieve, but if I have 5 Trusted contacts who don't know each other then the odds of this leading to a breach is low.

I do like how we are using social engineering to increase, rather than decrease security now.

How is this system more vulnerable if the five contacts know each other?

I think what is interesting, is that Facebook used to have a feature like this. The difference was, originally, after you forgot your password, you could choose to send the keycode to any 3 of your Facebook "friends".

That was a huge security flaw, because social engineers would create multiple fake profiles who would friend a person, and then use the feature to send the keycodes to the fake friends, whose accounts they had access to.

Doing that with only the Trusted Contacts, which are pre-assigned, is a much better and secure way of approaching this.

Well, another smart thing would be to have 5 contacts who don't know each other. Hard to achieve, but if I have 5 Trusted contacts who don't know each other then the odds of this leading to a breach is low.

I do like how we are using social engineering to increase, rather than decrease security now.

How is this system more vulnerable if the five contacts know each other?

If 3 of the 5 know each other, and for some reason decide to hack your account, you are at their mercy.

As an example, you are in a basketball team, and the team wants to play a prank on you, and you assigned 3 of your trusted contacts as your basketball buddies (something a teenager in high school is quite likely to do), well, you are screwed.

Well, another smart thing would be to have 5 contacts who don't know each other. Hard to achieve, but if I have 5 Trusted contacts who don't know each other then the odds of this leading to a breach is low.

I do like how we are using social engineering to increase, rather than decrease security now.

How is this system more vulnerable if the five contacts know each other?

If 3 of the 5 know each other, and for some reason decide to hack your account, you are at their mercy.

As an example, you are in a basketball team, and the team wants to play a prank on you, and you assigned 3 of your trusted contacts as your basketball buddies (something a teenager in high school is quite likely to do), well, you are screwed.

Just like the concept of giving a trusted neighbor or friend your house key, this system breaks down entirely if that person later turns out to be dishonest. As stated in the article, the only friends who should be designated as trusted are those you'd be comfortable house sitting for you while you're on vacation. Facebook users who don't have five such people on their friends list should most definitely not use this feature.

A) What happens when the account has been compromised? What is stopping someone from changing the trusted contacts?

B) What is stopping a motivated attacker from infiltrating and replacing the 'trusted contacts'?

C) In general, what is stopping general social engineering vectors from being deployed against the 'trusted' contacts? This sort of 'account control' seems vulnerable to a whole host of intimidation issues.

When you increase the number of people involved, you increase the total number of opportunities for an attacker to do harm. I'd argue that this 'security' is inherently less secure, and its not even computer security at all.

Personally I prefer a multiple doors, one individual approach. Only one individual may pass, and they must use multiple keys. Statistically, it is much harder to collect every necessary bit of information than to fool a couple people.

This feature seems to be reasonably secure. An attacker doesn't know which of your friends have been designated as trusted, and even if the attacker correctly guesses one, to succeed he would have to correctly guess two more, and then trick all three into surrendering the one-time code. The criticisms in this thread so far have been vague. If someone can see a viable way for an attacker to exploit this system to gain unauthorized access to a Facebook account, I'd be interested in hearing it.

Arcadium has a point that this is a decent security improvement to the old method as you can now pre-assign contacts to send these codes to, however, the user themselves must first pre assign these contacts in order for these improved version to work.

If not, then it would be fairly simple find three account with which you could hijack someone account given of course that you know their email they use to log in. While this would prove difficult for high profile accounts, especially celebrity accounts as they are often done via ad company, the issue is the ex-boyfriend/girlfriend or other disgruntled person using the old system against a user. In this case it is WAY more likely that the email used to log in is known by their attacker. Hell, it may even be on their profile.

Of course the argument could be made that it is on the user to secure their profile, but Facebook is notorious for not making their privacy setting clear and simple for setup and you cannot reasonably expect the half billion users on the site to have a working understanding of all that is web privacy. Without making the pre-selection mandatory, Facebook leaves the system flawed and open to any person with a reasonable amount of time on their hands to play a joke on a friend, or maliciously harm another's account.

I tried this out myself today on my account by trying to first lock it (20 attempts and no lockout,) and finally trying to recover my pass word. After clicking "I no longer have access to these emails," I was prompted to enter a new email and answer my security question or use the friends method. were I to have fake accounts or had made deals with others I could easily have change not only my password but my email as well.

A) What happens when the account has been compromised? What is stopping someone from changing the trusted contacts?

B) What is stopping a motivated attacker from infiltrating and replacing the 'trusted contacts'?

If your account is compromised, there's no need to re-compromise it. If your friend's accounts are compromised, I suppose this could be used an escalation, but this still requires multiple other accounts to get hacked, and if all 5 aren't, you'll also be alerting others that the attack has begun. Much like giving a friend a key to your house, you're expecting the friend to secure the key and notice and alert you if that security is breached.

I'm not sure what everybody's concern is here. It seems far more secure than the current system where a hacked email account gives access to all other online systems.

Wouldn't it be better if instead of the friends giving the codes to you, you gave the codes to your friends? That is, this system seems backwards to me. Ostensibly, the idea is that facebook is outsourcing user verification to real humans who know you. Ok, that seems fine enough. BUT, I'd rather have a system where I request a password reset, I'm given codes, then I give one code each to two or three friends or colleagues, who pass them on to facebook to verify that it's really me who requested the password reset.

Although, as I think about it, that might not provide any additional security vs giving the codes to friends to give to me. I'll have to think about it.

Wouldn't it be better if instead of the friends giving the codes to you, you gave the codes to your friends? That is, this system seems backwards to me. Ostensibly, the idea is that facebook is outsourcing user verification to real humans who know you. Ok, that seems fine enough. BUT, I'd rather have a system where I request a password reset, I'm given codes, then I give one code each to two or three friends or colleagues, who pass them on to facebook to verify that it's really me who requested the password reset.

Although, as I think about it, that might not provide any additional security vs giving the codes to friends to give to me. I'll have to think about it.

This system would not provide any extra security than the current one as the accounts you would had a code to could also be fake accounts. This version would also place too much responsibility on your friends as well though, its simple to have a friend send you the code via text, but conversely, the amount of work is more.

Followup to my own post: further explanation of what I was thinking - what I mean is, Facebook would email your codes to your email account (much like most sites currently email a single reset code to your email account), you then give the codes to your friends, who go in and enter them.

As with sending a reset code to your email account, this doesn't work if you've lost access to your email account, BUT, it would add a barrier to someone hacking your email account - now, just gaining access to your email isn't sufficient, they also have to convince your friends to enter the codes for them.

This system would not provide any extra security than the current one as the accounts you would had a code to could also be fake accounts.

What? The premise of Facebooks new system is that I designate REAL accounts, *ahead of time*, which are the only accounts authorized to verify me. I'm not sure you are understanding that part of the system. So, how would someone else setting up fake accounts do any good - those fake accounts aren't allowed to verify my password reset, *even if they have the right codes*?

If 3 out of 5 of your most trusted friends will conspire against you or will give away their parts of the key, then your problem is not computer security, it is your judgment of other people, and you are going to get far more than just your Facebook account stolen by these same friends. If you really trust no one, then I do not recommend turning on this feature.

If I am understanding Abstracting correctly, it appears that there may still be some way to specify trusted friends without knowing your password in an attempt to recover it, and this is a flawed method, because it opens you up to an issue where a few fake Facebook friend accounts can be used to hijack your account. I agree that this would be bad, just as arcadium described. I'm guessing that this is something leftover that Facebook needs to get rid of.

As I understand it, though, this should be an improvement in security, assuming you must set it up in advance for it to function. It does not reveal your password to anyone, and 3 of the 5 trusted people must be compromised in order for an attacker to get access to your account. If you were to choose friends that do not know each other well, or at least not well enough to realize that they are all your trusted friends, then it also becomes difficult for them to conspire against you, even if they were untrustworthy enough to want to do so.

This system would not provide any extra security than the current one as the accounts you would had a code to could also be fake accounts.

What? The premise of Facebooks new system is that I designate REAL accounts, *ahead of time*, which are the only accounts authorized to verify me. I'm not sure you are understanding that part of the system. So, how would someone else setting up fake accounts do any good - those fake accounts aren't allowed to verify my password reset, *even if they have the right codes*?

Yes, you are correct. I keep forgetting the new system as they have not yet made it mandatory and therefore I had assumed the same for your idea. I apologize.

However as Schmads stated, unless it is made mandatory, then the system will never be as secure as it should be.

Well, another smart thing would be to have 5 contacts who don't know each other. Hard to achieve, but if I have 5 Trusted contacts who don't know each other then the odds of this leading to a breach is low.

I do like how we are using social engineering to increase, rather than decrease security now.

How is this system more vulnerable if the five contacts know each other?

If 3 of the 5 know each other, and for some reason decide to hack your account, you are at their mercy.

As an example, you are in a basketball team, and the team wants to play a prank on you, and you assigned 3 of your trusted contacts as your basketball buddies (something a teenager in high school is quite likely to do), well, you are screwed.

Just like the concept of giving a trusted neighbor or friend your house key, this system breaks down entirely if that person later turns out to be dishonest. As stated in the article, the only friends who should be designated as trusted are those you'd be comfortable house sitting for you while you're on vacation. Facebook users who don't have five such people on their friends list should most definitely not use this feature.

Well, if I have more than 5 friends I would trust with this, and had to choose between then, wouldn't you agree that you would be better off choosing 5 who have lesser relations between themselves?

Facebook has already made this more secure than your key example, by requiring 3 of 5 people to be untrustworthy for this to fail, as opposed to only 1 for the key. As a user, you can potentially make it even more secure, if when choosing between 2 people, you choose the one who is less likely to know the other 4.

If 3 out of 5 of your most trusted friends will conspire against you or will give away their parts of the key, then your problem is not computer security, it is your judgment of other people, and you are going to get far more than just your Facebook account stolen by these same friends. If you really trust no one, then I do not recommend turning on this feature.

Actually, my point was if you trust MORE than 5 people. You would make yourself even more secure by choosing a combination of 5 who have the least relationships between them.

Followup to my own post: further explanation of what I was thinking - what I mean is, Facebook would email your codes to your email account (much like most sites currently email a single reset code to your email account), you then give the codes to your friends, who go in and enter them.

I think the point of this system is to add a secure non-email dependent method of retrieving your account details, as opposed to making the current retrieval system more secure.

FB is doing a lot to spread across the world, and many people who might have FB won't have email. For example, you can go to developing countries, and get a phone from a carrier which only allows you to access Facebook, and not the rest of the WWW. Additionally, FB wants to start replacing all other modes of communication (phones, messaging, email) with their FB equivalents.

It's quite clear that FB wants to be your only communication platform. And for many people, soon this may happen. Which is why they are looking for FB only means of retrieving passwords.

If 3 out of 5 of your most trusted friends will conspire against you or will give away their parts of the key, then your problem is not computer security, it is your judgment of other people, and you are going to get far more than just your Facebook account stolen by these same friends. If you really trust no one, then I do not recommend turning on this feature.

Actually, my point was if you trust MORE than 5 people. You would make yourself even more secure by choosing a combination of 5 who have the least relationships between them.

If you don't know 5 people whom you'd trust, don't use this feature.

I agree with you completely, sorry if it appeared otherwise. People who you know in real life and trust, that do not know each other, would seem to be the best choices. Say, a coworker, your girlfriend, an online friend, etc. Then, even if the girlfriend were to become untrustworthy, she would have a difficult time conspiring with the coworker or an online friend with whom she has no contact.

Alternately, make yourself 5 extra fake Facebook accounts and designate those all as your trusted friends. Then you can just send yourself the keys, and don't have to actually worry about real friends at all (I think this would be against the Facebook TOS, and also a pretty bad idea!)

You tell Facebook five people who know you the best. If you want to reset your password, Facebook sends these five people five different codes. You need to retrieve these code from at least three of the people, and give this back to Facebook.

What if someone guesses who the five people are? Doesn't do them any good. They have to convince at least three of those people that they are you.

What if one is your girlfriend, and she breaks up with you? Doesn't matter, she doesn't have your password. She has no access to your account. All your former girlfriend can do is request Facebook to reset your password. Then, she has to convince two of the other four people to give her the codes, so she can reset your password.

What if my girlfriend is mad at me and won't give me the code? You have four other people that can give you there code.

Why doesn't it work the other way? Why not Facebook give you the code, and you contact your friends and give them the codes, and then they contact Facebook? How is that more secure? What that means is that you have to hope your friends bother contacting Facebook and giving them that code. It's much easier if Facebook sent them the code, and you can ask them what that code is.

Won't Facebook know who my friends are? They already know. And, they also know how drunk you got at that party last week and where you did it and with whom. This is Facebook. They know what pictures you're in. They know what bands you like and that you cried when Bambi's mother was shot. They know that you like curly fries. If you don't want Facebook to have all of that information, you shouldn't have a Facebook account.

What if I setup my Frat bros as my trusted contacts, and they prank me? If you can't figure out who you can trust the most in your life, you shouldn't be using the Internet.

This is better than two step verification where the company sends you an SMS message with some code. Someone steals your cell phone, and they can do that second verification step. This is better than security questions where almost all of the answers could be found on someone's Facebook page. This is probably one of the most secure security schemes I have seen. It doesn't rely on technology, but on absolute personal trust.